diff options
| author | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2017-08-03 18:03:12 -0500 |
|---|---|---|
| committer | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2017-08-03 18:03:12 -0500 |
| commit | 2dbef2f2a9e759a80d2decb6862518acf4919c59 (patch) | |
| tree | 8d2a6c3e02bdb0f779448a9417980590ba00d634 /pngrutil.c | |
| parent | 4ac8b5e0d6af292f524da820177aa8ada4433e44 (diff) | |
| download | libpng-2dbef2f2a9e759a80d2decb6862518acf4919c59.tar.gz | |
[libpng16] Restored IDAT length check. Previously the calculated limit was five
bytes too small (neglected to account for a partial DEFLATE buffer)
Diffstat (limited to 'pngrutil.c')
| -rw-r--r-- | pngrutil.c | 12 |
1 files changed, 5 insertions, 7 deletions
diff --git a/pngrutil.c b/pngrutil.c index a57f13bba..2baa11512 100644 --- a/pngrutil.c +++ b/pngrutil.c @@ -196,7 +196,6 @@ png_read_chunk_header(png_structrp png_ptr) } else { -#if 0 /* some pngtests are failing */ size_t row_factor = (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1) + 1 + (png_ptr->interlaced? 6: 0)); @@ -204,17 +203,16 @@ png_read_chunk_header(png_structrp png_ptr) limit=PNG_UINT_31_MAX; else limit = png_ptr->height * row_factor; - limit += 6 + 5*limit/32566; /* zlib+deflate overhead */ + limit += 6 + 5*(limit/32566+1); /* zlib+deflate overhead */ limit=limit < PNG_UINT_31_MAX? limit : PNG_UINT_31_MAX; -#else - limit=PNG_UINT_31_MAX; -#endif } if (length > limit) { - png_debug2(1," png_ptr->push_length = %lu, limit = %lu", - (unsigned long)png_ptr->push_length,(unsigned long)limit); + printf(" length = %lu, limit = %lu\n", + (unsigned long)length,(unsigned long)limit); + png_debug2(0," length = %lu, limit = %lu", + (unsigned long)length,(unsigned long)limit); png_chunk_error(png_ptr, "chunk data is too large"); } |